Cybercrime and identity theft is a growing concern for all of us. It can cause devastating financial damage, but how much is our personal information really worth to cyber criminals? While many of us have now fallen victim to some form of cybercrime, most people are still unaware of our personal information’s value on the dark web.
The current toll of cybercrime
Australian Government researchers on Cybercrime in Australia surveyed 13,887 computer users in early 2023. They found that 47% of respondents had experienced at least one cybercrime in the previous 12 months, and 34% had experienced a breach of their personal data.
Malicious actors have now stolen trillions of dollars from unsuspecting consumers around the globe. According to varied publicly available research, the average fraud or identity theft victim loses anywhere from $200 to $1200.
Cybercriminals have built a reliable business model by exploiting unassuming internet users and insecure systems. The costs of data breaches to organisations are well reported, with IBM’s Cost of a Data Breachbeing the yardstick. Currently, the global average cost of a data breach is USD $4.35 million, with more than 80% of organisations saying they’ve experienced at least one cyber security incident.
The marketplace of identity theft
Less well reported is the individual sale price of personal data to criminals. However, analysis by Privacy Affairs in their Dark Web Price Index 2023 reveals the current price of various personal details on the dark web, including:
- Credit card details: $20 – $100
- Gmail account: $60
- Airbnb account: $300
- Australian driver’s license: $40
- EU Passport: $3000
Like in the legal economy, the dark web has a network of forums and multiple markets to transact illicit goods and services. Information leveraged for fraud is in demand, including personally identifiable information, payment card data, credentials, access to compromised systems, distributed denial-of-service, forged documents, and compromised access services.
The true scale of the identity theft business model
If passports can sell for upwards of $3000 apiece on the dark web, we can see the windfall that awaits by extrapolating that to a few million records. If hackers obtained data on five million customers, even if they sell only the email addresses at 20 cents a pop, they have just made over a quarter of a million dollars from one hack.
It may be surprising to hear that personally identifiable information may be worth less than a few dollars to cyber criminals. Still, hackers can use the information for a variety of malicious purposes. These activities could be leveraging the knowledge for a financial loan, credit applications, fraudulent bank accounts, or even gaining access to existing personal accounts.
Ransomware is now a corporate machine
Ransomware remains one of the most high-profile forms of cyberattack for stealing these high-value datasets. It seems as if there is a new ransomware victim on the evening news every week. Unsurprisingly, ransomware represents a staggering 24% of data breach incidents, according to Verizon’s 2023 Data Breach InvestigationsReport.
The average revenue that cybercriminals collect from ransomware is difficult to quantify, but we do know that many of these criminals operate in a highly organised corporate structure.
After declaring their support for Russia’s invasion of Ukraine, pro-Ukrainian hacktivists managed to expose the internal communications of the infamous Russian ransomware group Conti. Amongst the many startling insights in this hack, it was revealed that Conti had:
- annual revenues of $90 million
- payroll for 60 employees totalling $165,000
- monthly salary for developers of $2,000
- two physical offices with a monthly rent of $26,000
- performance bonuses for “salespeople” involved in successful ransom collections
Cyber security best practices
So how do organisations and individuals bolster their data security against this new breed of cybercriminals? The answer lies in understanding your current cyber security posture and enlisting the help of a trusted managed services partner
Enforce password policies
Preventing an attacker from getting access to any account containing or giving access to personal information is vital. Organisations can make it much harder for malicious actors to break into multiple accounts with similar passwords by enforcing password policies for greater complexity and length while ensuring that multi-factor authentication is enabled.
User awareness training
We know through varied research that the most common way criminals steal data is still via spear-phishing campaigns. If a phishing attack is successful, the malicious attacker gets valuable data dumps containing emails and passwords. With many people still using the same password for several accounts, attackers can then use this information to access accounts on other platforms. Therefore, user awareness training is essential for helping individuals to identify malicious emails and links while ensuring they delete and report any suspicious communications they receive.
Invest in the right technology and tools
A combination of people, processes, and technology is critical to building a preventative and proactive cyber security approach. Some of the vital steps organisations can take to achieve that include:
- continuous monitoring of assets
- integrating actionable intelligence into the ecosystem
- automation of remediation activities, such as automatic lockdowns when credentials are exposed – allowing security teams to remediate threats before they become cyberattacks
Creating cyber resiliency
At CT, we can help you adopt best practice cyber security practices in a multi-layered approach that integrates people, process and technology. A multi-layered approach also ensures that cybersecurity doesn’t consider each layer in isolation; the entire system is vulnerable if one is unsecured.
We also know that cyber security needs to cover the entire system, not just individual devices. At the same time, it also needs to be be the responsibility of all stakeholders.
Our framework includes four fundamental cyber security principles:
- Governance: The process of identifying and managing data security risks across the organisation.
- Detect:The process of identifying and detecting cyber security events.
- Protect:The process of implementing adequate data security controls to reduce cyber security risks.
- Respond and Recover:The process of responding to events and incidents to limit the damage.